Configure Dependendabot only to report semver releases for the github-actions
ecosystem when using pinned hashs
#125481
Unanswered
lgarron
asked this question in
Code Security
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Select Topic Area
Question
Body
I maintain a project that contains the following configuration:
The project uses https://github.com/marketplace/actions/amazon-ecr-login-action-for-github-actions in some of its GitHub Action workflows.
Unfortunately, Dependabot sends us a pull request every week due to mechanical pushes to
main
at: https://github.com/aws-actions/amazon-ecr-loginWe just want to receive a PR to our project when there is a tagged release for the action, and despite many attempts I have not been able to figure out how to do this. Everything in https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates implies that we should be getting PRs only for version releases, not individual commits to the dependency. For example, there is an option to ignore
"version-update:semver-patch"
but not, say, "version-update:commit".I suspect this is because we actually pin the hash of the latest releases. That is, we specify
aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
rather thanws-actions/[email protected]
as a good security practice for an extremely sensitive operation. But upgrading on every commit to that action would be a security liability, if anything.Is there a way to tell Depenabot only to send us PRs for semver updates, without lowering the security of our configuration?
Beta Was this translation helpful? Give feedback.
All reactions